FTC vs. Open SMTP Relays

HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"

Much better idea:

Let open relays suffer the consequences for the spam that they inadvertantly relay. They should be open to lawsuits.

Some simple logic in order?

[PM4RK5]

Maybe I'm the only one that had this train of thought, but I'll put it here anyways. I, personally, run a home-based server that runs many services (web, ftp, SMTP and POP3 are some of them).

The threat of being blacklisted would make me change my ways, as I have nothing to gain and everything to lose should that happen. I would presume the same is true for most sys admins out there, who run *honest* servers.

Now let's say that the few "Open Relay" servers that are left are threatened, but they don't take action. Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.

I'd imagine the few open relays that are left are supported by spammers in some way, as they are key in spreading spam, and most people don't want spam passing through their systems anyway, so any anti-spam person would probably close their relays as soon as they are first notified.

So to relate this to the article, I'd say that a letter from the FTC that doesn't threaten *legal* action will provide no more incentive to these system administrators to close the relays; thus the letters become little more than a waste of paper...

Just my thoughts on the matter.

Re:Some simple logic in order?

[kill-hup]

Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.

Interesting thought, but I doubt anybody's going to pay to have an open relay stay open. There's just so many of them out there from which to choose! ;)

I would imagine they all fall into one of the following groups:

• Insecure default setups
• Admins who don't know better (or aren't really "admins")
• Admins that don't give a crap

Besides, I'd hate to have a business relationship or paper trail with an open relay provider in case it ever becomes possible to sue over an open relay. I'm no lawyer but I'd think you'd be an accessory by paying them to provide a questionable service.

Re:Some simple logic in order?

[fishbowl]

> It's the same respect you show a cop

"Are you ORDERING me to close my relay?"

"No, I am simply making a suggestion that you do so."

"But you are not ordering me to do it, is that correct?"

"That is correct."

"Good day officer, and thank you for your suggestions."

Not in the lifetime of TCP/IP

[TVmisGuided]

Rumor has it that there's a whole bunch of open relays out there which are owned by the spamhausen. (I'd love to see some evidence to the contrary, but that's asking proof of a negative, so I won't hold my breath.) If we accept that rumor as fact for the sake of argument, all the FTC letter is going to do is tell said spamhausen that their crap is getting to the target audiences, and they'll happily redouble their efforts.

It's been said before, but it's worth repeating. The best way to eliminate spam is not to go after the machines (and coincidentally the people in charge of the care and feeding of them). Go after the people and companies hiring the spamhausen...the ones pushing their "herbal Viagara" (sic), pr0n, better mortgage rates, and so forth down the wire and into our overloaded mail accounts. Take away the revenue stream, and all those open relays will go idle until someone puts them to better use (for example, Quake 3 servers).

Just my two cents' worth...save up the change for a root beer or something.

Southern states taking the lead?

[dillon_rinker]

Signed by (among others) the attorneys general of Texas, Louisiana, Oklahoma, Arkansas, and New Mexico. Where are the states that are sterotypically tech-savvy? Where's Washington? Where's California? Why are southern states taking the lead on this? I'd think it was just a regional US thing if it weren't for the international signatures on there. Is it easier to get international agreement than interstate agreement? Seriously, what gives here?

Could it? Would it?

[ackthpt]

The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"

Imagine my utter surprise when I returned from running to the PO and Baja Fresh, during lunch, hit [Get Msgs] and Nothing was there to download!!!

I've been getting from 120-180 Ralsky-grams a day and nothing in the space of 45 minutes is downright unbelievable. I zipped over to the news to see if his house had been raided or he'd been kill by an irate sysadmin. Nothing on the news about it, maybe something is happening? If so, he and his animal food trough wiper friends will probably take a little while to shift over to some other sites and get caught up.

We did this

[DNS-and-BIND]

I worked at a company that ran open relays. I couldn't get them to shut them down, either. It was because we used a web-based email service, and they wanted people to be able to send mail with Outlook using our mail servers. The system was originally implemented on a unix platform by programmers who had mostly worked with windows in their careers. They were pretty clueless about everything...for example, our SQLnet port was wide-open to the world before I got it firewalled off, and the username was the domain name and the password was the company name spelled backwards. I told them about reply-to and other such measures, but was told that was unacceptable, we needed to keep the relays open. One manager was even demoted and eventually let go because he took it on his own authority to close down the relays one weekend because we were being used to spread the Nigerian bank account spam.

The real problem? Wierd foreign programmers who don't understand How Things Work and moreover don't care, and executives that just want a working system and to hell with being a good netizen.

I don't think it's a admin problem.

[BoomerSooner]

It's a protocol problem. SMTP is never going to be good enough. For example, I run qmail, courier, horde/imp. To keep it from being an open relay I use relay-ctrl. However in my testing (to make sure it wasn't open) I found a few very interesting things. On 99% of email servers if you know how to properly input the mail headers you can send anyone an email on that server.

Granted this isn't an open relay but if you have a list of everyone at intel (or not just figure out their email addresses via a web search). You could easily email all of them anything you wanted (as the spammer) only using their own mail server. I havent tried this on a lot of servers but I have a very high success rate (I only try it with my friends accounts on different servers and I let them know ahead of time so they aren't confused).

This just helps make my point. Non authenticated SMTP is killing the internet. If the big whigs would come out with a new OPEN protocol (AOL, MSN, Earthlink, ... in conjunction with the OSS community) it would (theoretically) solve a growing problem.

It would be good for the software makers of email clients/servers as well because they could sell an entirely new set of software.

I guess I'm just idealistic. I think it can be done.

Then again, if one more damn tornado gets within 2 miles of me I may move to Colorado (like all the Californians! lol ;^)

Re:I don't think it's a admin problem.

[hpavc]

yeah, and that sucks when people insist you have relaying open because their script assumes it just because you didnt drop them.

Re:I don't think it's a admin problem.

[GC]

Who is going to check every header in every email?

What would be the spammers reaction? Quite easily forge 1000 headers in a single email?, using up all resources of your checker and causing a denial of service?

The SPAM phenonanom (sp?) is somewhat of a battle at the edge of crakerdom; it's the "what can I get away with" philosphy.

My users may have very valid emails from servers in the .kr domain, yet nearly 99% of our SPAM originates from there. I don't see that as a valid reason to block all their emails.

I really like the ideas of anti-SPAM co-operation by identifying the fingerprints of mass-emails and relaying those fingerprints to other servers - I'm yet to see the emergence of a company that can proclaim to do this effectively.

Business Plan anyone?

1. SPAM
2. identify own emails
3. publish fingerprint
4. profit...

damn stupid time of night to be thinking about this anyway...

I noticed a queue building up the other day, apparently, while not being blacklisted, we had been blocked through an IP range by a provider - another customer in our range must have sent out some unsolicited mail, so I called our ISP, asked them whether there was a smart host where I could offload my queue and they obliged... not my problem any more, actually they may have dropped my queue to /dev/null, but at least it ceased to be my problem.

Re:convincing?

[Jucius+Maximus]

" just out of curosity, why would any mail admin want to have an open relay? it must cost the isp time and money as well as make them look bad to the community in general. even those who do support spammers for profit, even they must have some sort of authentication?"

Maybe the documentation for their mail server is only in English and they only know some other language(s) so they can't find out about how to properly use the server. Supposedly this is part of the problem with open relays in Asia.

Re:Make up your minds Slashdotters

[Abm0raz]

Are you as assinine as you sound? We (collectively) can most certainly pick and choose parts of items that we like.

• I like the power in my new Mustang, but I don't like the layout of the console.

• I like the girl in the cubicle beside me's cute face and pert breasts. I don't care for her dumpy ass and chunky thighs.

• I like the concept of Open Source. I hate the mainly user unfriendliness and lack of support of the software I've tried.

• I like slashdot. I hate trolls.

• I like the smell of a fresh thunderstorm. I hate the water on the ground that prevents me from rollerblading.

• I love my cell phone. I hate when people call me when I don't want to talk to them.
• 
  
  This doesn't make me a hypocrite. It makes me able to appreciate different factors of things and evaluate them all seperately as a basis for rating the whole. To suggest that because I hat one part of one thing means that I MUST hate the rest is ludicrous. To suggest even more that because I disliked something in the past, that I must dislike it forever is even worse. Under that theory, I'd still hate beer (mmm ... beer) nor would I have ever forgiven the guy that beat me up when we were in 3rd grade (who is now one of my best friends and drinking buddies).
  
  Things change, people change.
  
  -Ab
  
  

Re:relay

[bluesangria]

Hrrrm. It's actually a bit more difficult than that. Spammers actively look for ways around non-relaying servers, especially in this day of web-based mail forms. We had an incident where a spammer discovered that a poorly coded cgi-form would allow different e-mail addresses to be sent using our web-based mail submittal form. Even though the server was secured against relaying, it wasn't secured against receiving thousands of submittals through its web form. We only noticed it when someone complained to our ISP, who forwarded the notice on to us. We patched it up and sent an apology to our ISP and the original complainer.

Moral of the story - don't give up complaing to an ISP about spam. You may actually get them to do something about it.

Re:The key is...

[GreyPoopon]

The spammmer has to open SMTP connections himself to every mail server he wants to spam people on. This takes a lot more resources than putting 1000 addresses on a BCC list and firing the message off to an open relay that does all the hard work.

I hate to say it, but this isn't nearly as much work as you might think. All it takes is a little special coding and some database maintenance -- something serious spammers would be more than willing to do. By maintaining a table of mail servers for each domain, a program could easily be created that scans through the list of email addresses, selects the correct mail server for its domain and then routes the email directly through that server. The most work would be maintaining the table of mail servers, but they could just target the big ones like Earthlink, AOL, MSN, Yahoo, Hotmail, etc. If this ever happens, you may see a rise in the popularity of Ma & Pa ISPs again.

On a good note, spammers who directly route through the recipient's mail server will be much easier to track down -- unless they break into another computer system to do their dirty work.

err yes that is true

[Archfeld]

"Come on, you don't mean that. If somebody sneaks into your house while you're not looking, "borrows" your gun, goes out an kills somebody, you're responsible? You could be accused of negligence but you're not really responsible for the killing"

Here in Calif. unless you lock it up, with an approved security device or trigger guard YES you are and can be held responsible for gross negligence and possible homicide...no one has taken the homicide charge yet buty there have been cases of negligence enforced I believe...

I agree with you on the Key issue regarding email though...

Re:err yes that is true

Yep happens all the time. Whatever happen to person responsibility? This idea that it is always someone else's fault when someone does something wrong is stupid.

My ex ran up a large phone bill, which I had to pay. Even she tried to get the phone company to put it on a seperate bill for her to pay. They said no and you (me) don't get a phone till it's paid.
I asked if someone broke in my house and did the same thing if I will still have to pay it and be without a phone. They said yes. Ludicrous. Someone else does something and your at fault.

At least it was a lot quiter around the house!

checking headers

[budgenator]

Who is going to check every header in every email?
obviously nobody is going to even try, but a yahoo, aol, msn, Earthlink, or hotmail are going to have hundreds of smtp machines load balanced off one IP address, set up ten out of a hundred to check headers throughly and it'll stop a lot of spam.

I know that your thinking that this would be like the dutch-boy with his finger in the dike, here why I think it would be effective

1. a spam campain that generate a .01% response rat is concidered wildly sucsessfull by SPAMMERS.

2. if you block the one email out of ten thousand that generates revenue, then the spammer has to send an additional 10K Emails to make up the shortfall.

the cost to the ISP rise linearly, the cost to the SPAMMER rise exponetily; and the ISP have deeper pockets to begin with. Add in the blacklists and the big time spammers are done.